Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Governance

Facebook, Twitter and Google Suspend 'Inauthentic' Accounts

Social Networks Say Separate Influence Operations Trace to Iran and Russia
Facebook, Twitter and Google Suspend 'Inauthentic' Accounts
A sample of English-language content on pages suspended by Facebook

The British Left. Berniecratss. Free Scotland 2014. Patriotic Palestinian Front.

See Also: Webinar | The Future of Adaptive Authentication in Financial Services

Those are the names used by some of the "inauthentic" social media accounts and pages that Facebook, Twitter and Google have removed after saying they appeared to be tied to two separate influence operations being run by the governments of Iran and Russia.

Facebook says it has removed 652 pages, groups and accounts tied to two separate campaigns after receiving a tip from cybersecurity firm FireEye about a network of pages and sites called "Liberty Front Press."

Facebook CEO Mark Zuckerberg told reporters on Tuesday that one campaign appeared to be tied to Iran, and exhibited some signs of "ties to state-owned media." Another campaign, he said, involved "a set of activities [that] the U.S. government and others have publicly linked to Russian military intelligence services." He says Facebook is working closely with law enforcement agencies as part of their investigation.

A sample of English-language content on pages suspended by Facebook

Nathaniel Gleicher, Facebook's head of cybersecurity policy, told reporters on Tuesday that one of the Iranian campaigns, tied to Liberty Front Press, had used U.S. and Australian dollars, as well as Turkish lira and Indian rupees, to purchase more than $12,000 worth of advertising on Facebook and Instagram starting in July 2012 and continuing until this month.

Facebook says that some of those ads have now been blocked, but notes that its investigation is continuing. "Since there are U.S. sanctions involving Iran, we've also briefed the U.S. Treasury and State Departments," Facebook says in a blog post, adding that it "takes steps to prevent people in Iran and other sanctioned countries from using our ad tools."

Twitter also suspended a slew of accounts.

"Working with our industry peers today, we have suspended 284 accounts from Twitter for engaging in coordinated manipulation," Twitter says, adding that many of the accounts appear to be tied to Iran.

Sample Twitter accounts affiliated with Liberty Front Press (Source: FireEye)

Google, meanwhile, removed certain YouTube and Google Plus content (see Google Suspends YouTube Accounts, Content Linked to Iran.)

Iranian Targets: US, UK and Beyond

FireEye says at least some of these campaigns appeared to target the U.S., U.K., Latin America and the Middle East.

"This operation is leveraging a network of inauthentic news sites and clusters of associated accounts across multiple social media platforms to promote political narratives in line with Iranian interests," FireEye says in a blog post. "These narratives include anti-Saudi, anti-Israeli, and pro-Palestinian themes, as well as support for specific U.S. policies favorable to Iran, such as the U.S.-Iran nuclear deal (JCPOA)."

FireEye says it has "moderate confidence" that at least one of these campaigns is tied to "Iranian actors," based on site registration details, social media account links to Iranian phone numbers as well as the content that links to Iranian political interests consistently being promoted.

The homepage of the Liberty Front Press homepage, as seen on Aug. 22, 2018. As of that date, no new content appeared to have been posted on the site since June 18, according to FireEye.

FireEye says it found at least 11 Twitter accounts that at some point claimed to have ties to Liberty Front Press, or which reused its imagery. "Most of these Twitter accounts are linked to phone numbers with the Iranian +98 country code, despite listing their locations as being within the U.S. Many were created on the same day as at least one other account," FireEye says in a report that it shared with Information Security Media Group.

For example, two Twitter accounts, @libertyfrontpr and @libertyfronp, were subsequently renamed to @berniecratts and @riseagainstr, respectively, referring to Sen. Bernie Sanders, an independent politician from Vermont, and a supposed group calling itself "Rise Against the Right."

A tweet posted by the Twitter account @libertyfrontpr, which was later renamed @berniecratss (Source: FireEye)

Both FireEye and Facebook caution that they have not identified any specific individuals behind these campaigns or links to known government operators (see Cybercrime Groups and Nation-State Attackers Blur Together).

FireEye also notes that someone else could be pretending to be Iranian to throw investigators off of the scent. "Influence operations, by their very nature, are intended to deceive by mimicking legitimate online activity as closely as possible," FireEye says.

Tip From FireEye

Facebook officials thanked FireEye for the tip that led to its latest takedown of pages, groups and accounts. "Based on FireEye's tip, we started an investigation into 'Liberty Front Press' and identified additional accounts and Pages from their network. We are able to link this network to Iranian state media," Gleicher says.

Facebook found content that was created by a group with ties to Iranian state media. While some of the content dated from 2013, the group intensified its focus on the U.S. and U.K. beginning in 2017, he said.

Over the course of three waves of this investigation, Gleicher says Facebook found and suspended 254 Facebook pages, 276 Facebook accounts, 3 groups on Facebook as well as 116 Instagram accounts with ties to Liberty Front Press. Some pages and accounts had also been used to try and hack into people's accounts as well as spread malware, Gleicher says.

About 830,000 legitimate accounts followed one of the inauthentic Facebook pages, while the inauthentic Instagram accounts had amassed more than 59,000 followers.

A sample of English-language content on pages suspended by Facebook

The shutdown of the allegedly inauthentic accounts and pages came one day after Microsoft said that it had obtained a court order that allowed it to seize and sinkhole six domain names that appeared to have been created by the Russian military intelligence hacking team known as Fancy Bear, aka APT28. The fake sites appear to have been designed as part of espionage operations targeting conservative think tanks and the U.S. Senate, as well as organizations and individuals with whom they work. In some cases, victims may have been lured to the fake, lookalike sites, and had their systems infected with malware (see Microsoft Uncovers Fresh Russian Attack Infrastructure).

Information Operations Investigations Continue

Those efforts follow Facebook removing eight pages and about 24 accounts for what it described as their being "involved in coordinated inauthentic behavior," at least some of which appeared to be designed to try and influence the upcoming U.S. midterm elections on Nov. 6. At the time, Facebook declined to identify who it thought might be behind those efforts (see Facebook Reveals Ongoing Political Influence Campaigns).

Facebook officials say there's a difficult balance to be struck between immediately suspending such content, or waiting to see where it leads.

"We've been investigating some of these campaigns for months now - which highlights the tension we face in every investigation between removing bad actors quickly and improving our defenses over time, because if we remove them too early, it's harder to understand their playbook and the extent of their network," Zuckerberg told reporters on Tuesday. "It can also make it harder for law enforcement who are running their own investigations."

Sites Battle 'Inauthentic' Activity

The latest campaigns to be discovered demonstrate that "significant" information operations remain ongoing and that "that actors beyond Russia continue to engage in and experiment with online, social media-driven influence operations to shape political discourse," FireEye says.

But why flag these information operations efforts as being "inauthentic"? FireEye says it prefer the term to describe the types of social media accounts, websites and content that it has tied to the influence operations. "We use the term 'inauthentic' to describe sites that are not transparent in their origins and affiliations, undertake concerted efforts to mask these origins, and often use false social media personas to promote their content," it says.

Whoever is behind such campaigns creates their own content as well as sometimes reuses legitimate content, although sometimes alters it to suit their purposes, FireEye adds.

The content published on the various websites consists of a mix of both original content and news articles appropriated, and sometimes altered, from other sources.

FireEye notes that it's already discovered additional social media accounts and websites linked to the alleged Iran campaign. "For example, we have identified multiple Arabic-language, Middle East-focused sites that appear to be part of this broader operation" that it has yet to call out, the company says in its blog post.

Facebook, meanwhile, says it continually strives to block inauthentic behavior "because we want people to be able to trust the connections they make on Facebook" (see Facebook's Security and Privacy Overhaul Comes at a Price).

The company adds: "While we're making progress rooting out this abuse, as we've said before, it's an ongoing challenge because the people responsible are determined and well funded. We constantly have to improve to stay ahead. That means building better technology, hiring more people and working more closely with law enforcement, security experts and other companies. Their collaboration was critical to our investigation since no one company can fight this on their own."

Watching Russia, China, Iran, North Korea

The discovery of new propaganda campaigns targeting the U.S., U.K. and other countries should not be surprising. U.S. intelligence officials have continued to sound warnings about online hacking and propaganda efforts being conducted by Russia, China, Iran and North Korea in particular.

"Influence operations, by their very nature, are intended to deceive by mimicking legitimate online activity as closely as possible."
—FireEye

In February, U.S. Director of National Intelligence Dan Coats testified before the Senate Intelligence Committee that those four nations pose the biggest online risk to the country's interests (see Russia Will Meddle in US Midterm Elections, Spy Chief Warns).

DNI Dan Coats testified about foreign cyber threats before the Senate Intelligence Committee on Feb. 13.

"Influence operations, especially through cyber means, will remain a significant threat to U.S. interests as they are low-cost, relatively low-risk, and deniable ways to retaliate against adversaries, to shape foreign perceptions and to influence populations," Coats testified.

He said warned that "many countries and some non-state actors are exploring ways to use influence operations, both domestically and abroad."

Zuckerberg on Tuesday told reporters that some of the inauthentic accounts it's removed in recent months appear to have originated not only in Russia and Iran, but also Mexico and Brazil.

Senate Probes Influence Operations

The Senate Intelligence Committee continues to investigate Russian influence operations.

"Our foreign adversaries are taking a page right out of Russia's playbook with the latest announcement by Facebook, and now Twitter. While I applaud Twitter for taking down 284 fake accounts, there is still more work to do," says Sen. Mark Warner, a Virginia Democrat who is vice-chair of the committee.

The committee's chairman, Republican Sen. Richard Burr of North Carolina, said in a statement on Tuesday that the revelations of Iran's alleged influence operations were further evidence of the need for the private and public sectors to work more closely together.

"Namely, that the goal of these foreign social media campaigns is to sow discord, that Russia is not the only hostile foreign actor developing this capability, and that addressing this threat requires technology companies, law enforcement, Congress, and the intelligence community working together," Burr said.

The committee is set to hear testimony on influence operations on Sept. 5 from Facebook COO Sheryl Sandberg, Twitter CEO Jack Dorsey and Kent Walker, a vice president at Google.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.